HACK ACCOUNTS USING MITM [SSLstip & HSTS BYPASS using BETTERCAP]
BetterCAP is a powerful, flexible and portable tool created to perform various types of MITM attacks against a network, manipulate HTTP, HTTPS and TCP traffic in realtime, sniff for credentials and much more.
In order to harvest the credentials entered by a victim the bettercap runs a Man in the Middle Attack on a single victim or everyone in the same network. The attack works using two methods.
This is done by using arp poisoning to spoof (or imitate) mac addresses of wireless routers and victim PCs or mobiles. The attacker must be on the same network as the victims. Now because of arpspoofing, the router believes it is directly comminicating with the victim and the victim believes that it is diectly communicating with the router. But actually they both are communicating with the attacker.
The SSLstrip feature that we are using in this attack is what makes this a preferred method for stealing credentials. SSLstrip removes the security and encryption from web traffic so that the connection lacks encryption and defeats the Secure Socket Layer (SSL) protocol being implemented between router and device. Once the packet is captured, the information can then be read at an understandable human level rather than as confusing encryption codex. Long story short, this technique will replace every https link in webpages the target is browsing with http ones.
To overcome such attacks HSTS was introduced.
HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.
Before the introduction of HSTS it was possible to strip ssl and send an insecure http page to the victim. Anyway it was overcome by using HSTS which collects the url of the sites which uses ssl and prevents the user from accessing the insecure http version of that site.
Moreover HSTS policies have been prebuilt into major browsers meaning that now, even with a SSL stripping attack running, the browser will connect to HTTPS anyway, even if the http:// schema is specified, making the attack itself useless.
But in sslstrip+ (sslstrip2) a new method the attacker use a different domain name like http://wwww.facebook.com/ instead of http://www.facebook.com/ so that the browser will not find the domain in the hsts list and allows an insecure http connection with facebook (the attacking proxy of course).
Since HSTS rules most of the time are applied on a per-hostname basis, the trick is to downgrade HTTPS links to HTTP and to prepend some custom sub domain name to them. Every resulting link won't be valid for any DNS server, but since we're MITMing we can resolve these hostnames anyway.
Video tutorial :
In order to harvest the credentials entered by a victim the bettercap runs a Man in the Middle Attack on a single victim or everyone in the same network. The attack works using two methods.
This is done by using arp poisoning to spoof (or imitate) mac addresses of wireless routers and victim PCs or mobiles. The attacker must be on the same network as the victims. Now because of arpspoofing, the router believes it is directly comminicating with the victim and the victim believes that it is diectly communicating with the router. But actually they both are communicating with the attacker.
The SSLstrip feature that we are using in this attack is what makes this a preferred method for stealing credentials. SSLstrip removes the security and encryption from web traffic so that the connection lacks encryption and defeats the Secure Socket Layer (SSL) protocol being implemented between router and device. Once the packet is captured, the information can then be read at an understandable human level rather than as confusing encryption codex. Long story short, this technique will replace every https link in webpages the target is browsing with http ones.
To overcome such attacks HSTS was introduced.
HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.
Before the introduction of HSTS it was possible to strip ssl and send an insecure http page to the victim. Anyway it was overcome by using HSTS which collects the url of the sites which uses ssl and prevents the user from accessing the insecure http version of that site.
Moreover HSTS policies have been prebuilt into major browsers meaning that now, even with a SSL stripping attack running, the browser will connect to HTTPS anyway, even if the http:// schema is specified, making the attack itself useless.
But in sslstrip+ (sslstrip2) a new method the attacker use a different domain name like http://wwww.facebook.com/ instead of http://www.facebook.com/ so that the browser will not find the domain in the hsts list and allows an insecure http connection with facebook (the attacking proxy of course).
Since HSTS rules most of the time are applied on a per-hostname basis, the trick is to downgrade HTTPS links to HTTP and to prepend some custom sub domain name to them. Every resulting link won't be valid for any DNS server, but since we're MITMing we can resolve these hostnames anyway.
Video tutorial :
Comments
Post a Comment